Services, such as transactions between bank accounts, are nowadays mostly initiated via wired or wireless communication channels, such as telephone networks or the Internet. Access to such services is typically controlled by authentication procedures. The most widely applied authentication procedures range from simple techniques, such as requesting a username and a password, to technically more advanced procedures, which rely on biometric data, which are read by a biometric sensor, such as a fingerprint capturing module.
Generally speaking, technically complex and cost-intensive technologies are required to ensure a high level of security. However, even complex technologies, which are nowadays applied, are often vulnerable to attacks such as a man-in-the-middle attack. In such a man-in-the-middle attack, the attacker sets up independent connections with the service requester and the service provider. Then, the attacker relays messages between them, making them believe that they are communicating directly to each other over a secure connection. Thereby, for example, an attacker may retrieve biometric data from a requester, which can be used to compromise the service provider system. Attackers may also use tools, such as keystroke loggers, sniffers or trojans to manipulate a system to forward calls. Mobile phones, used by requesters may be spied using an IMSI-catcher.
The various services, which are offered by a service provider, often differ tremendously in the desired security level. For example, the amount of money, which is transferred by bank transactions may vary considerable between single transactions. Therefore, technically complex and cost-intensive solutions are only implementable for a small number of service requests.
Hence, there is a need to offer an authentication system, which is configurable for very high security with minimal additional costs.
This problem is solved by the subject-matter of the independent claims. Further embodiments are subject of the dependent claims.